Comfyui 7e6098

Security checks across malware telemetry and agentic risk

Overview

This is a simple ComfyUI guidance skill with broad triggers but no code, installation commands, persistence, credentials, or sensitive access.

Install only if you want a ComfyUI helper that may activate on broad ComfyUI-related wording. Review the referenced Bilibili links and tutorial advice independently before running any ComfyUI setup steps outside the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger scenarios are broad enough to activate on ordinary user requests such as simply mentioning 'comfyui' or asking for related help. This can cause unintended skill invocation, which may override normal assistant behavior, inject low-quality or irrelevant guidance, and expand the attack surface for prompt-triggered behavior.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest trigger field includes multiple broad marketing-style phrases rather than a precise activation token. Ambiguous triggers increase the chance of accidental activation from normal discussion or copied video titles, making the skill less predictable and easier to invoke unintentionally.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal